Search form

CFO choice: internal controls or business process monitoring

Our business IT landscape is becoming more complex by the day. Partly because of new technologies and ongoing systems integration but more so due to governance legislation and accountability rules. The CFO is in an awkward position here: the need to know as quickly as possible what went good and wrong versus the reality of delayed aggregated reporting.

Controlling departments or external accountants can do sample testing and might or might not find anomalies. Of course prohibiting wrong transactions is far better. This resulted in a lot of attention in implementing internal controls and a whole industry of consultants to build them. And of course these controls are really useful and in fact ought to be mandatory. Of course you need to know who did what and when within the system. Security and traceability are the foundation for our ever more virtual processes and supporting infrastructures.

But you can spend as much money as you want on internal controls, they will not address the most virtual element of all: the human interaction. Picture this: you have a beautiful ERP system which makes sure that goods received will only be accepted at your warehouse if an authorized employee matches them with an approved purchase order. Traceable, accountable and secure. Human reality is a bit more complex though: if the warehouse operator does not find a purchase order, he or she checks with accounting and maybe this leads to an instant purchase order to "correct" the fact that the goods are physically received. Again traceable, accountable and secure. But business wise correct? A simple incident rightly corrected? An omission in the process implementation? Or evidence of fraud? Since the internal controls will not likely bring this to our attention, we never will know.

In order to find anomalies as the one described above, we need another level of monitoring. Where the internal controls focus largely on achieving a standard data input process, we need to achieve a standard business process. Monitoring your business processes, end-to-end, will surface any anomaly or risk around the set parameters of business goals. A lot of existing internal controls can be used to fuel this monitoring. These additional aspects have to be addressed:

Ask the right questionsFocus on a few questions that really have impact for the business in terms of direct money (revenue, costs, profit) or indirect money (valuation, reputation, continuity). Less is more, both in attention value and precedent working. And don't forget that designing and implementing monitoring will cost money in itself so the bottom line, other than being an insurance premium, must be positive.

Ask the questions rightIn the example above this seems rather simple: give me all incoming goods transactions whereby systems date of purchase order approving lies within x-hours of system date of goods received entry. But for instance an often seen demand for insight in changes to agreed payment terms and pricing, will require more thinking and a more complex implementation maybe not even all automated.

Set ownership It makes no sense to monitor anything if there is no one interested in the results. So unless there is a senior manager with a personal charter or target that is impacted by the business process execution, the best theoretical question will be useless to ask. In principle ownership should resides with a manager directly responsible for the business process, not with somebody from finance or a staff unit.

Quick and transparent follow upAct upon the outcome of the monitoring quickly and adequate. It is senseless to have beautiful monitoring dashboards in place when it takes a month to be discussed in the next meeting. An empowered team under the direction of the owner should instantly act to interpret, analyse and act upon the monitoring results. Monitoring of this follow up must be an integral part of the effort. And if the problem didn't exist, don't keep looking for it.

Continuous by exceptionAsk the questions consistently and permanently until it is not a right one anymore. Either the impact is resolved, by means of business process improvement, organisational change and/or embedded control, or there are other questions with more impact. Analyse, tune, adjust and throw away at the earliest possible moment. And if the problem didn't exist, don't keep looking for it.

Monitoring risk and performance is the way forward. Internal controls are instrumental but a too limited. Business process monitoring that focuses on the business performance is required. A dedicated seperate solution interfacing with the whole systems landscape seems to be the logical format. A CFO in my opinion has the best position to initiate and facilitate this as a program, embedding execution in the world of the business executive who should matter.

In his last blog Hans Lodder advocated that the role of the CIO should focus more on an effective ICT operation and less on an efficient ICT operation. Does this contradict with my quest for a Production Architect? I believe not: they could even be the biggest buddies!

After my last blog on the personal coach and the differences with the more traditional roles of consultants, I got quite a lot of positive response. At the same time I also had to explain these differences it to some (non-professional ICT) persons. A substantial crash with my PC gave me an unexpected rather cynical example to explain this in another way.